I don't do bug bounties and I am not a lawyer, but use caution. You are accepting email destined for another organization. As illogical as this may sound, their company may react poorly and may send their lawyers after you. At that point, it is about proving malicious intent. They may fail but things can get complicated and expensive for you. I would explicitly start rejecting all email destined for that domain asap. All of this depends on how their folks think and trying to predict that is risky. I would also set up a simple static web page on that domain that says, "Did you mean to visit example.com instead?" without a clickable link so that your typo domain is not showing up in their stats.
As for what to do with this domain? This is probably not the answer you are looking for, but I would just let it expire.